Description
Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.
Published: 2026-02-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation and Platform Compromise
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Devtron’s Attributes API allows any authenticated user to retrieve the global API Token signing key via /orchestrator/attributes?key=apiTokenSecret. With the key attackers can forge JWTs for arbitrary identities offline, granting them full control over the Devtron platform and enabling lateral movement into the underlying Kubernetes cluster. This flaw is a classic example of insufficient authorization checks (CWE-862).

Affected Systems

The issue affects Devtron versions 2.0.0 and earlier deployed on Kubernetes environments. The affected product is the Devtron application platform, as listed by the CNA vendor devtron-labs. No additional product variants are implicated by the current data.

Risk and Exploitability

Overall severity is high with a CVSS score of 8.7, but the EPSS score is less than 1 % and the vulnerability is not yet in the CISA KEV catalog, indicating a relatively low probability of exploitation in the wild. Exploitation requires only standard authentication to Devtron, so low‑privileged CI/CD developers can trigger the endpoint. Once the signing key is stolen, attackers can impersonate any user, creating a complete loss of confidentiality, integrity, and availability for the entire platform.

Generated by OpenCVE AI on April 17, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official fix resulting from commit d2b0d260d858ab1354b73a8f50f7f078ca62706f or upgrade to a version newer than 2.0.0.
  • Restrict the /orchestrator/attributes API endpoint to users with administrative privileges or disable the key retrieval parameter entirely.
  • Rotate all API tokens and JWT signing keys throughout the Devtron deployment after applying the patch to eliminate any compromised keys.

Generated by OpenCVE AI on April 17, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8wpc-j9q9-j5m2 Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage
History

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devtron:devtron:*:*:*:*:*:kubernetes:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Devtron
Devtron devtron
Vendors & Products Devtron
Devtron devtron

Wed, 04 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron's Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26.
Title Devtron Attributes API Unauthorized Access Leading to API Token Signing Key Leakage
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Devtron Devtron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T18:37:58.750Z

Reserved: 2026-02-02T19:59:47.374Z

Link: CVE-2026-25538

cve-icon Vulnrichment

Updated: 2026-02-05T18:37:42.562Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:15:59.943

Modified: 2026-02-11T19:10:54.880

Link: CVE-2026-25538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses